1. The Field of the Invention
The present invention relates to the field of electronic communication. In particular, the present invention relates to methods and systems for selecting methodology for authenticating computer systems on a per computer system or per user basis.
2. The Prior State of the Art
“Authentication” is a process often used in computer networks whereby an item is determined to be what it is purported to be. Computer networks often use authentication when computer systems communicate with each other. Typically, a first computer system will use a request/response protocol to communicate with a second computer system. To accomplish this communication, the requesting computer system establishes a connection with the responding computer system. Next, the requesting computer system transmits certain requests to the responding computer system. The responding computer system will typically respond to these requests. Often, the response to the request will depend on the identity of the requesting computer system. Thus, the responding computer system often authenticates the identity of the requesting computer system in order to determine the appropriate response. In so doing, the requesting computer system may need to provide information to the responding computer system such as a password.
There are a variety of methodologies for authenticating a computer system. One method is to simply believe the requesting computer system is what it purports to be. This method will be referred to in this description and in the claims as the “assertion” method.
In another method often termed the “basic HTTP” authentication method, the requesting computer system sends a password over the computer network to the responding computer system. The responding computer system assumes that only the requesting computer system is aware of the correct password. Therefore, the responding computer system concludes that the request indeed came from the requesting computer system if the password is correct.
In a more recent HTTP authentication method termed the “MD5 Message Digest Authentication” method (hereinafter, “the digest” method), the password is not passed over the computer network at all. Instead, a series of numbers is generated based on a candidate password and other information about the request. These numbers are then hashed using the well-known MD5 hashing algorithm to form a “digest”. The requesting computer system then sends the digest over the computer network to the responding computer system. The responding computer system takes the password that it knows to be correct, and forms its own digest by performing the same method on the correct password as the requesting computer system performed on the candidate password. The digest generated by the requesting computer system is then compared with the digest generated by the responding computer system. If the digests match, the responding computer system determines that the alleged requesting computer system also generated the digest based on the correct password and thus is indeed the authentic requesting computer system.
One authentication method that is native to WINDOWS NT® is termed the WINDOWS NT® LAN Manager or “NTLM” authentication method. In this method, the requesting computer system sends “credentials” including a user name and an encrypted password to the responding computer system.
The abilities of the requesting computer system (and the responding computer system) to handle certain authentication methods will differ from requesting computer system to requesting computer system and user to user.
For example, some requesting computer systems and users may have permissions to perform sensitive operations. It would seem inappropriate, even dangerous, to allow such requesting computer systems to authenticate using the untrustworthy assertion method. However, the assertion method may be entirely appropriate for requesting computer systems that only have permission to perform harmless operations.
Some authentication methods require common knowledge of passwords between the requesting computer system and the responding computer system. However, oftentimes the responding computer system will have no idea of the correct password for certain computer systems such as those residing outside of the responding computer system's corporate network. Thus, authentication methods that require common password knowledge may inappropriately deny service in some instances to requesting computer systems that lie outside of the corporate network. Therefore, what are desired are methods and systems for reducing denials of service to requesting computer systems that should have access to the service.
Even if the requesting client computer system can authenticate using one of the authentication methodologies accepted by the responding computer system, the requesting client computer system may try several unacceptable authentication methods first before finally trying one that is acceptable. Therefore, what are also desired are methods and systems for improving authentication efficiency.